Open Stack

Hello,

Today I force-merged [5] to avoid widespread gate breakage.  Because
the change is in zuul-jobs, we have a policy of annoucing
deprecations.  I've written the following but not sent it to
zuul-announce (per policy) yet, as I'm not 100% confident in the
explanation.

I'd appreciate it if, once proof-read, someone could send it out
(modified or otherwise).

Thanks,

-i

--

Hello,

The recent release of setuptools 42.0.0 has broken the method used by
the configure-mirrors role to ensure easy_install (the older method of
install packages, before pip became in widespread use [1]) would only
access the PyPi mirror.

The prior mirror setup code would set the "allow_hosts" whitelist to
the mirror host exclusively in pydistutils.cfg.  This would avoid
easy_install "leaking" access outside the specified mirror.

Change [2] in setuptools means that pip is now used to fetch packages.
Since it does not implement the constraints of the "allow_hosts"
setting, specifying this option has become an error condition.  This
is reported as:

 the `allow-hosts` option is not supported 'when using pip to install requirements

It has been pointed out [3] that this prior code would break any
dependency_links [4] that might be specified for the package (as the
external URLs will not match the whitelist).  Overall, there is no
desire to work-around this behaviour as easy_install is considered
deprecated for any current use.

In short, this means the only solution is to remove the now
conflicting configuration from pydistutils.cfg.  Due to the urgency of
this update, it has been merged with [5] before our usual 2-week
deprecation notice.

The result of this is that older setuptools (perhaps in a virtualenv)
with jobs still using easy_install may not correctly access the
specified mirror.  Assuming jobs have access to PyPi they would still
work, although without the benefits of a local mirror.  If such jobs
are firewalled from usptream they may now fail.  We consider the
chance of jobs using this legacy install method in this situation to
be very low.

Please contact zuul-discuss [6] with any concerns.

We now return you to your regularly scheduled programming :)

[1] https://packaging.python.org/discussions/pip-vs-easy-install/
[2] https://github.com/pypa/setuptools/commit/d6948c636f5e657ac56911b71b7a459d326d8389
[3] https://github.com/pypa/setuptools/issues/1916
[4] https://python-packaging.readthedocs.io/en/latest/dependencies.html
[5] https://review.opendev.org/695821
[6] http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-discuss